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In coin tossing two remote participants want to share a 
uniformly distributed random bit. At the least in the quan- 
tum version, each participant test whether or not the other 
has attempted to create a bias on this bit. It is requested that, 
for b = 0, 1, the probability that Alice gets bit b and pass the 
test is smaller than 1/2 whatever she does, and similarly for 
Bob. If the bound 1/2 holds perfectly against any of the two 
participants, the task realised is called an exact coin tossing. 
If the bound is actually l/2+£ where the bias £ vanishes when 
a security parameter m defined by the protocol increases, the 
task realised is a (non exact) coin tossing. It is found here 
that exact coin tossing is impossible. At the same time, an 
unconditionally secure quantum protocol that realises a (non 
exact) coin tossing is proposed. The protocol executes m 
biased quantum coin tossing procedures at the same time. It 
executes the first round in each of these m procedures se- 
quentially, then the second rounds are executed, and so on 
until the end of the n procedures. Each procedure requires 
4n particles where n £ O(lgm). The final bit x is the parity 
of the m random bits. The information about each of these m 
bits is announced a little bit at a time which implies that the 
principle used against bit commitment does not apply. The 
bias on x is smaller than 1/m. The result is discussed in the 
light of the impossibility result for exact coin tossing. 
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a. Introduction. We propose a quantum protocol 
which does for two remote participants what tossing a 
fair coin does for two nearby participants. The paper is 
organised in such a way that it is possible to only read 
the protocol. Not so many tasks are known which can be 
realised with quantum protocols. The difficulty became 
apparent after the discovery that an unconditionally se- 
cure quantum bit commitment was impossible [Q. This 
impossibility result was a severe draw back for quantum 
cryptography because quantum bit commitment was a 
basic primitive for many proposed applications in cryp- 
tography. For more details about the result and differ- 
ent attempts to realize quantum bit commitments see [Q . 
However, that was not the end of quantum cryptography. 
The unconditional security of a quantum key distribution 
protocol proposed by Bennett and Brassard in 1984 ||] 
was obtained in 1996 ||, and as the year passed other 
proofs for different quantum key distribution protocols 
were obtained that corroborated the result (see |7|j|] and 
reference therein). These results established a variety of 
tools and proposals much needed to analyse, not only the 



security, but also the efficiency of quantum key distribu- 
tion. 

Beside key distribution, an unconditionnally secure 
quantum protocol Q for a task called secret shar- 
ing [ pO|JTl] ] was proposed. Unconditionally secure clas- 
sical protocols were already known for this task, but 
the recently proposed quantum protocol || required less 
ressources. Also, secret sharing of classical information 
was recently extended to secret sharing of quantum in- 
formation (see Jli| and reference therein). Finally, a task 
called quantum gambling was also obtained fl4|| . To our 
knowledge, that represents the known accomplishment of 
unconditional quantum cryptography besides quantum 
key distribution (and its immediate applications). 

Our result may sound surprising since after the im- 
possibility of bit commitment was shown jjj , the natural 
reaction was to verify whether or not the same kind of 
limitiation holds for quantum coin tossing (which was 
known to be a weaker two-party primitive). In fact, re- 
sults were found suggesting that QTC was maybe also 
impossible Jl7[ |. Only weaker quantum primitives like 
quantum gambling jl4| have been proposed for achiev- 
ing non-trivial unconditional security in the two-party 
model. 

In this paper, we will carefully discuss the security 
criteria for (non ideal) coin tossing and the ideal coin 
tossing task of Lo and Chau. A coin tossing protocol 
is exact when the criteria that define the task hold ex- 
actly no matter what the cheater does. In our point of 
view, coin tossing and ideal coin tossing are two different 
tasks, and each of them has its own exact and non exact 
versions We will explain why the most natural ob- 
jective of quantum cryptography should be a (non ideal) 
coin tossing, not an ideal (exact or non exact) coin toss- 
ing. We will describe our protocol and design an attack 
with a bias larger than (l/2)(rn-l) 3 /m 6 ps l/(2m 3 ). We 
will explain why we believe that the bias is necessarily 
smaller than 1/m in general. To further analyse the pro- 
tocol, we will define a general attack against exact coin 
tossing, a larger class than exact ideal coin tossing p6| . 
This general attack is very instructive because it often ap- 
plies to protocol even when the objective is weaker than 
exact coin tossing. This general attack defeats many pro- 
posed coin tossing. It will guide us to distinguish between 
what is possible and what is not. This analysis will sug- 
gest that a coin tossing protocol with an exponentially 
small bias is possible. 
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b. Security criteria. In a naive view point, a coin 
tossing protocol is secure against a given participant if, 
whatever this participant does, the other participant re- 
ceives a uniformly distributed random bit. The two bits 
must be identical only when both participants are hon- 
est. As we will see, this naive definition of coin tossing 
is too strong to have any practical value, even in a non 
exact case where some bias is accepted. This definition 
does not take into account that at some point the par- 
ticipants will have to indicate whether or not they agree 
on the bit. For example, if the game is that the looser 
must pay one coin to the winner, a participant must im- 
plicitly announce his decision by accepting or refusing to 
pay the coin. More convincingly, the standard way to 
execute coin tossing on top of bit commitment does not 
respect this security criteria. To realise coin tossing on 
top of bit commitment, Alice commits a uniformly dis- 
tributed random bit to Bob, Bob announces a uniformly 
distributed random bit to Alice, and finally Alice opens 
her bit. The final bit is the xor of the two bits. In order 
to defeat the protocol Alice simply does not open her bit. 
The protocol fails (in accordance with this naive criteria) 
because Alice has the power to abort the protocol. 

A realistic security criteria for coin tossing must accept 
the fact that a protocol can abort. An example is when 
Alice refuses to open the bit. The non acceptation to pay 
a coin is another example, but formally these payments 
are not part of the coin tossing task. To include this no- 
tion of disagreement in the task, it is requested that each 
participant outputs either the value "abort" or "accept" 
at the end. An honest participant should use the value 
"abort" only if he detects that the other participant has 
cheated or fails to collaborate. Using the value "abort" 
at other time is dishonest. Note that no secure coin toss- 
ing protocol would exist if a protocol could be declared 
insecure only because a dishonest participant can adopt 
this abort strategy. Despite the fact that this strategy 
does influence the outcome, it is accepted in accordance 
with the coin tossing security criteria that such a cheat- 
ing strategy does not defeat the protocol because there 
is nothing we can do about it. If we don't accept this 
principle, even the standard coin tossing protocol that 
is built on top of a perfect bit commitment is insecure 
which will contradict one of the most standard reduction 
in cryptography. 

Let pb, b = 0, 1, be the probability that (1) the protocol 
does not abort and (2) the random bit is b. For every 
fixed strategy, these probabilities are well defined. By 
definition, po + p\ is the probability that the protocol 
does not abort. Of course, what happens with the bit 
b when the protocol aborts can be ignored because this 
bit will not be used. If both participants arc honest, we 
must have po = p\ = 1/2. We say that the protocol 
is correct. A coin tossing protocol is secure against a 
participant (say Alice) if (1) it is correct and (2), for 
every strategy adopted by Alice, the probabilities po, p\ 



which are generated by the protocol can also be generated 
by a strategy that simply aborts a secure non biased coin 
tossing in view of the bit obtained. It is not hard to see 
that this criteria is equivalent to po,Pi < 1/2 for every 
strategy and po = pi = 1/2 when both participants are 
honest. In the non exact case, we should accept PoiPi < 
1/2 + £ where £ > is a small bias which vanishes as a 
security parameter m increases. We will also accept an 
exponentially small probability that the protocol aborts 
when the participants are honest. 

By definition jlTj , an ideal coin tossing is a coin toss- 
ing with the additional constraint po = p\. It is not 
hard to see that such a constraint is not respected by the 
standard coin tossing protocol built on top of bit com- 
mitment. Alice has only to refuse to open the bit every 
time the game result is 1 . The effect is that po = 1/2 and 
Pi = 0. In the non exact case, we accept \po — pi\ < £, 
where £ can be arbitrarily small, but even then the stan- 
dard reduction of coin tossing to bit commitment does 
not respect this ideal criteria. Therefore, unless we ex- 
pect to do better than this standard coin tossing protocol, 
ideal coin tossing (exact or non exact) is not a natural 
objective for quantum cryptography. Our protocol is a 
non exact coin tossing protocol, not a non exact ideal 
coin tossing. 

The protocol. Let -0(0) = c\0) + s\l) and ip(l) = c|0) - 
s\l), where c, s are are real numbers such that the angle 
between the two state is 9. The angle 9 is a parameter 
in the protocol which should be optimised. We propose 
9 = tt/9. Let us define $(0) = ®£ =1 ^>(0) and $(1) = 
<8>fe =1 V'(l)- The angle O between <I>(0) and $(1) is given 
bycos(6) = cos n (9). Note that (7r/2— O) is exponentially 
small. Let (E ,E^) and {E U E^) be the POVMs on 
the 2™ dimensional space for the n particles defined via 
E a = |*(0)X$(0)|, E t = Efr = 1- E and 

Ei = 1 — Ei. The outcomes associated with Eg and E\ 
are respectively and 1, whereas the outcomes associated 
with Eq and E^~ are denoted _L in both cases (we don't 
need to distinguish these two cases). For a € {0, 1,_L}, 
we adopt the convention a _L = _L. In the protocol the 
standard ordering of the nested loops "For i = 1 . . . n do: 
For j = 1 . . . m do:" must be respected, especially at step 
3. 

Step 1- For j = 1 . . . m do: Alice uniformly picks at 
random a bit Oj and Bob uniformly picks at random a bit 
bj. The final bit will be the xor of all bits Xj = (cij ®bj). 

Step 2- For i = 1, ...,n do: For j = 1, ...,m do: Alice 
uniformly picks a random bit Cjj and sends a pair of par- 
ticles in the state tp(cij) <£> ip(cij)', Bob uniformly picks a 
random bit cfy and sends a pair of particles in the prod- 
uct state ip(dij) ® ip{dij). At this stage no information 
at all about the bits aj and bj is unveiled. 

Step 3- For i = 1, ...,n do: For j = 1, ...,m do: Alice 
announces e,j = aj and Bob returns the second 
particle at position (i,j) if = and the first particle 
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otherwise; Bob announces = bj(Bdij and Alice returns 
the second particle at position if fij = and the 

first particle otherwise. At this stage, for every j, the n 
particles sent by Alice and not returned by Bob are in 
the state 3>(aj) and the n particles sent by Bob and not 
returned by Alice are in the state $(bj). Similarly, for 
every j, the n particles returned by Bob are in the state 
<&(aj), whereas the n particles returned by Alice are in 
the state $(&,). 

Step 4- For j — 1 . . .m do: Alice announces <Zj, Bob 
executes the POVM (E aj ,E^.) on notes the out- 

come Sj and if cij = _L the protocol aborts; Alice executes 
the POVM (E b] , E^.) on <&(&,), notes the outcome bj and 
if bj = _L the protocol aborts. 

Step 5- For j = 1 . . . to do: Alice measures the state 
<J>(aj) returned by Bob at position j with the POVM 
(E B , j , E=^. ) and if the outcome is _L the protocol aborts; 
Bob measures the state 4>(bj) returned by Alice at posi- 
tion j with the POVM (£^.,£^) and if the outcome is 
_L the protocol aborts. 

Alice's final bit is A B where A — ®jdj and B = 
(Bjbj. Bob's final bit is A © B where A = (BjCLj and 

To explain how this protocol works, let us consider 
the procedure obtained if every loop statement "For 
j = 1 . . . m do:" in the protocol is only executed for a 
fixed value of j, and the other values of j are ignored. 
The restricted protocol becomes a biased coin tossing 
procedure BiasedCoin^, bj) which returns the random 
bit Xj — a,j © bj. The complete protocol can be de- 
scribed in terms of the procedure BiasedCoin in the fol- 
lowing way. Alice and Bob execute the first round of 
BiasedCoin for j = 1, . . . , to, then the second round of 
BiasedCoin for j = 1, . . . , to, and so on until the last 
round. They do not wait until after the end of the pro- 
cedure BiasedCoin(aj, bj) before starting the procedure 
BiasedCoin(aj+i, bj+\). This is very important, because 
otherwise the protocol would be ruled out by a theorem 
of Santha and Vazirani jl8| which states that one cannot 
make a less biased coin tossing protocol on top of a biased 
coin tossing if the biased coin tossing is used sequentially. 

The basic idea in BiasedCoin is that at the same rate 
Alice and Bob progressively provide information at step 3 
about their respective bits cij and bj . Alice can influence 
the xor cij bj as much as she has information about 
bj. For example, at the beginning of step 3 she knows 
nothing about bj, and therefore her first request cannot 
influence at all the bit a,j © bj . At the time where she has 
more information about bj, she has already committed 
herself to a large degree to the bit a,j. Therefore, Alice 
cannot entirely control the bit dj © bj . The samething is 
true for Bob. 

Note that it is important that Alice and Bob send par- 
ticles at step 2 which they ask back at step 3. In a pre- 
vious version of the protocol, Alice and Bob sent their 



respective states ip(dj) and ip(bj) directly at step 2, not 
pairs of states. The situation that was obtained in this 
previous version after step 2 is the one that we have here 
in the protocol after step 3. Steps 3 and 5 were not used. 
An attack completely defeated this previous version. The 
attack was simple, but easy to miss! When Bob receives 
tp{dj) he sends back the state to Alice in replacement of 
the state ip(bj). From Alice's view point, his behavior is 
exactly as if bj = cij. At the end, Alice announces cij 
first, and then Bob announces bj — cij to pass the test. 
(To hide his strategy, Bob can change the order of the po- 
sitions j when he returns the particles.) This attack does 
not apply to our protocol anymore. Bob cannot transfer 
quantum information from a particle coming from the a 
side to another one that he will send on the b side at 
step 2 and be ready to return the original particle on the 
a side at step 3 without creating any disturbance. This 
situation remind us of Eve's dilemma in a quantum key 
distribution protocol. 

c. A conjectured optimal attack. Here we describe 
what we believe is, modulo some fine tunings, an optimal 
attack against the protocol. We can assume that Bob 
is the cheater because he has more power than Alice. 
Clearly, if the states sent (and not asked back) by Bob 
are independent of the dj , the protocol is not defeated. 
To defeat the protocol, Bob must transfer information 
from the bits aj to the outcomes bj. Without loss of 
generality, we assume that Bob wants a bias toward 0. 

For every j, Bob receives 2n particles. However, Bob 
will only interact with the n particles which he does not 
have to return. The intuition is that extra information 
is only useful if it is obtained for every j, which implies 
that the probability of failing the test will be very large, 
even before a small bias could be created. Also, Bob 
will be honest on what he sends to Alice for every j = 
1 ... to — 1, and only try to influence the bit b m . The 
intuition is that changing the single bit b m is sufficient 
to change the parity B, and, for every i, Bob has more 
information when j — to. Let B^ m ~^ — ffi™^ 1 ^, and 
recall A = ®jCij. Clearly, Bob's optimal strategy is to 

always announce b m d = A Q) B^ n ^^ at the end, even if 
in doing so his probability to pass the test is very small. 

The following formulas are useful. Consider a uni- 
formly distributed random bit a coded into a state ip a , 
and let be the angle between ipo and tpi . We have that 
the probability of error with the best POVM to guess a 
is 

PE = sin 2 (7r/4 - Q/2) = (1/2)[1 - sin(fi)]. 

The probability of determining conclusively the value of 
a with the best POVM for that purpose is 

PC = l-cos(Q). 

Note that if one obtains a conclusive outcome with 
probalility PC, then he can guess bit a with probabil- 
ity (1 — PC)/ 2 which must not be smaller than PE by 



3 



definition of PE (and this inequality can easily be ver- 
ified). If Bob has sent the state ipo and he announces 
that he has sent the state ipi his probability of passing 
the best test to verify his announcement is 

PS = cos 2 (ft). 

In the appendix, we show that if m bits a\ . . . a m are 
coded into a product state ip ai . . . tp am , the probability of 
error in the best POVM to guess the parity bit A — ®jaj 
is (exactly) 

PE{m) = (l/2)[l-sin ro (n)]. 

We obtain that the probability of a conclusive outcome 
on the parity bit is bounded above by 

PC{m) = sin m (fl). 

Here is the attack. At the beginning Bob will be honest 
for every j = 1 . . . m, until i = [~lg c ((m — l)/m 2 )] where 
c = cos(#). At this stage, he has received i particles from 
Alice for every j, but he has not yet sent the ith particle 
to Alice at position j — m. This value of i is chosen so 
that cos(fti) = cos((9) 4 < (m — l)/m 2 and cos(f2j_i) = 
cos(0) 4_1 > (m — l)/m 2 . He executes the measurement 
on the states &(a,j) that maximises the probability of 
a conclusive outcome for each a,j. He will obtain the 
value of b m with a probability PC greater than 1/m. If 
Wn = b m , then he continues honestly which means that 
the final bit will be 0, otherwise he swap the value of b m 
used in his preparation, and he will pass the test with 
probability PS greater than (m— l) 2 /m 4 . The probabil- 
ity of is 1/2(1 + PC x PS). The bias will be larger than 
(l/2)(m - l) 3 /m 6 £ 0(l/m 3 ). The bias in this con- 
jectured optimal attack is smaller than 1/m because, for 
< c = cos(0) < 1, (1/2) x PC x PS = (l/2)c m [l - c 2 ] 
is neccessarily smaller than [m/(m + 2)] m ^ 2 [l/(m + 2)] < 
1/m. 

d. A general attack against exact coin tossing. The 
general attack that we propose is an adaptation of the 
general attack against bit commitment jj| . Understand- 
ing this attack will help us to analyse the protocol fur- 
ther. Note that exact coin tossing is a larger class than 
exact ideal coin tossing JT^JT^] . To determine the at- 
tack we must first know who can apply the attack. At 
any given round in the honest protocol, before a partici- 
pant sends information, he can try to find out whether or 
not he has the power to guess perfectly the game result. 
Conceptually, we can think that a measurement provides 
this information by returning the outcome "can" or "can- 
not" . By definition, the result "can" means that subse- 
quently the participant can make another measurement 
with two outcomes and 1 such that the associated col- 
lapsed states and \&i guarantee that the final game 
result is and 1 respectively. For every participant, there 
exists neccessarily a step together with a measurement 



that returns the outcome "can" with probability 1 at that 
step (we include this constraint in the definition of ex- 
act). At previous steps, with a probability smaller than 1 
the participant might have received sufficient information 
to guess perfectly the game result, that is, the outcome 
"can" might occur with some probability smaller than 1 
at previous steps. We do not consider these steps. We 
only consider steps at which a participant can systemat- 
ically guess the game result. Without loss of generality 
let us assume that Bob is the first to reach such a step. 

Let and be the collapsed states associated with 
the result and 1 obtained by Bob at this step. At 
this step, the fidelity between the two density matrices 
on Alice's side associated with \J/ and respectively is 
neccessarily greater than 0. Otherwise, Alice has reached 
before Bob a step at which she can systematically find 
out the game result, which is a contradiction. 

To execute the attack Bob first executes the honest 
protocol at the quantum level (see for more details) 
until after he reaches the step that is described above. 
At the end of the protocol, the three outcomes 0, 1 and 
abort on Alice's side correspond formally to the outcomes 
of some measurement. We know that in the honest pro- 
tocol $i leads to 1 with certainty and $o leads to with 
certainty. Being honest, Bob gets $o and $i with prob- 
ability 1/2 each. When he gets f i he continues honestly 
and Alice obtains 1. So, we have that pi is at least 1/2. 
When he gets i>o, he moves a little bit toward $i as in 
the attack against quantum bit commitment |l|,^|. This 
implies that p\ is now larger than 1/2 and therefore the 
protocol is not an exact coin tossing. 

We have to make sure when we design a coin toss- 
ing protocol that it is not ruled out by the above attack 
which is likely to apply even if the objective is weaker 
than exact coin tossing. This guideline is very useful. To 
illustrate this point we describe a naive (non exact) coin 
tossing protocol. This naive protocol can be defeated by 
Bob using this general attack against exact coin-tossing, 
despite the fact that the protocol does not intend to real- 
ize exact coin-tossing. The usual rectilinear and diagonal 
bases are denoted + and x respectively. The states of 
the rectilinear basis are denoted |0) and |1). The di- 
agonal basis is given by |0) x = (1/V2j(|0) + |1)) and 
|1) X =(1A/2)(|Q)-|1»- 

A naive protocol. Step 1: Alice prepares m states 
<f>j = (1/ a/2) [|00) + 1 1 1 ) ] and sends the second photon in 
each state to Bob. Step 2: For each position j = 1, . . . , m, 
Bob picks at random one of the basis + or x , sends the 
basis to Alice and measures his photon in that basis. Step 
3: Alice measures her photons in the bases announced 
by Bob and anounces the m bits returned. For both 
participants, the final bit is the xor of the m outcomes 
(s)he obtains on his side. The test: Bob verifies that the 
m bits announced by Alice are correct. 

To apply the general attack on this naive protocol Bob 
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must locate the step in the honest protocol at which with 
probability one he can learn completely the game result. 
In the naive protocol Bob can learn the game result when 
he chooses the bases. We have a big problem because at 
this step Alice can obtain almost no information at all 
about the game result (because she doesn't know the 
bases) . We must conclude that Bob can pass from to 1 
with probability almost 1. In practice, Bob simply learns 
the bit by being honest, and then, if he looses, he swap 
a few bases in the announcement to randomize the game 
result again. In this way, he creates an additional bias. 
To almost completely defeat the protocol, Bob will have 
to use the principle explained in g, that is, he will have 
to keep all his computation at the quantum level until 
he learns the bit returned by the honest protocol. Here, 
it means that the bases will be kept in superposition in 
quantum registers, the measurements will be executed 
using the computer and their outcomes also kept in quan- 
tum registers, etc. Nothing should be classical except the 
game result. Then, if he doesn't get the bit he wants, he 
can swap to this bit with probability almost 1. 

We learned from the analysis of this attack that we 
must guarantee that at the time a participant can learn 
the game result, the other participant must also have 
received a large amount of information about the game 
result. If that is the case, then this attack will only allow 
the cheater to create a small additional bias. 

Now we applied this attack to our protocol. Bob will 
learn the game result first when Alice will announce bit 
a m . At that time, Bob will know every thing, but he 
will not have yet announced his bit b m . He can move the 
bit toward 1 only if he can swap b m . As a first approxi- 
mation, we can ignore the perhaps more efficient version 
of the attack in which Bob keeps b m in superposition as 
a control qbit. Every classical value will be announced 
in the honest protocol, except b m but even b m will be 
almost totally announced. Even if b m was initially in a 
quantum superposition, at the moment of swapping b m , 
the qbit will be (except with an exponentially small bias) 
indistinguishable from a classical mixture. Bob's prob- 
lem is that after having sent n informative states about 
b m , his probability to pass the test if he swaps b m is ex- 
ponentially small in n. 

In this attack, Bob could not use the fact that he knows 
completely the a,j just before swapping b m because Al- 
ice's test essentially fixed the value of b m (and the other 
bj were totally fixed). To avoid this difficulty, Bob must 
swap the game result before he has sent too much infor- 
mation about the bits b m and thus increase his probabil- 
ity to pass the test. This is exactly what Bob does by 
using conclusive measurements to determine A as soon 
as possible with a probability PC > 1/m. The problem 
with the best guess measurements is the following. If 
Bob uses the best guess measurement for b m , the final 
bit will be obtained when (1) the guess is correct and 



b m = b m or (2) the guess is correct, b m ^ b m and the test 
(Ei, j , Ej^. ) performed by Alice is successful. These two 
cases occur with total probability 1/2(1 — PE)(1 + PS) 
where PE is the probability of error in the guess and PS 
is the probability of passing the test (E\ )j , E^ ) performed 
by Alice is successful. 

Let PE(1) be the probability of error while guessing a 
single bit cij. Bob's probability to fail the test 1 — PS will 
be about the same as his probability 1 — PE(1) to guess 
correctly any bit a,j. The probability (1 — PE) to guess 
correctly the parity of the bits cij will be approximatively 
(1 - PE(l)) m 1 - mPE{l) (and this is true even if 
coherent measurements can be used to obtain the best 
guess on the parity bit). Therefore, (1/2)(1 - PE)(1 + 
PS) < 1/2, and the strategy is useless. 

Of course, with probability PE/2 Bob will have 
swapped b m which was originally b m and at a subsequent 
value of i Bob might want to swap the value of b m back 
to his orginal value. Similarly, with probability PE/2 
Bob will have kept b m ^ b m and at a subsequent value 
of i he might want to swap it to the value b m . How- 
ever, the probability of error in these subsequent guess 
will be about the same, so that a factor (1 — PE) will 
appear again. A strategy with a conclusive outcome is 
much better because PE = and the probability of is 
1/2(1 + PC x PS). 

The above analysis suggests that a better protocol 
could be obtained if conclusive measurements were im- 
possible such as is the case when the bits a(j) are coded 
in density matrices. Work is in progress in this direc- 
tion and there are indications that an exponentially small 
bias is possible. We recall that it is important that the 
information is unveiled progressively. One might think 
that if only a polynomial number of rounds are used, 
then the rate at which the information will be unveiled 
cannot allow an exponentially small bias. However, this 
requirement is only important at the end. The informa- 
tion can be unveiled in such a way that, for every j, first 
1/2 bit is unveiled, then 3/4 bit is unveiled, then 7/8 bit 
is unveiled, and so on. This requires only a polynomial 
number of rounds. 

Our protocol is not an exact coin tossing, so it does not 
defy the impossibility result for exact coin tossing. How- 
ever, without a careful design of the protocol, this attack 
would have applied to our coin tossing protocol. Our 
result corroborate a conjecture proposed by Mayers (IJ 
stating that the symmetric protocol might be possible 
whereas the non symmetric tasks, such as one sided se- 
cure computations, would be impossible. For example, 
it will be interesting to find a quantum protocol for the 
identification task in which Alice (a user) and Bob (a 
bank) both want to check if they have the same personal 
identification number (PIN) associated with a particular 
account, but do not want to unveil their secret PIN in 
the process. This is also a symmetric task. 
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APPENDIX A: MINIMAL ERROR 
PROBABILITY FOR THE PARITY BIT. 

This appendix is about the difficulty of finding the par- 
ity bit in quantum cryptography. It completes some work 
did by Bennett, Mor and Smolin in 1996 |Ts| ] . 

The setting is the following. Consider two states ^(0) 
and VKl) a t an angle f2. We have to bits a\ . . . a m en- 
coded by Alice into the product state ip{ai) . . .ip(a m ) 
which is sent to Bob. Bob wants to obtain a guess A* 
on A — ®jdj so that PE{m) = Yv(A* ^ A) is mini- 
mal. We evaluate exactly the minimum of PE(m) over 
all possible POVM. Next, we use it to easily bound the 
probability of obtaining a conclusive outcome PC (to) us- 
ing PC(m) < 1 — 2PE(m), which comes from the fact 
that if you obtain a conclusive outcome with probability 
PC(m) you will guess the parity bit with probability of 
error (1 — PC(m))/2, which by definition must be larger 
than PE(m). It is easy to determine the POVM that 
minimises the probability and to actually compute ex- 
actly PE{m) = Fr{A* ^ A) for that POVM. 

We only do the case where to is odd. The case where 
to is even is similar. The states i/j(0) and "0(1) are conve- 
niently written tp(0) =c|0)+s|l) and -0(1) = c|0)-s|l), 
where c = cos(f2/2) and s — sin(fi/2). The two density 
matrices for the parity A = and A = 1 respectively 
are block diagonal (every block is a 2x2 matrix). If we 
reorganise the order of rows and collums properly, for 
k = 0, (to — l)/2, there are (™) blocks like this one: 



„2(m-fc) g 2fc n 



n 2k 2(m-fc) 



The plus sign is for A = and the negative sign for 
A = 1. In particular, one can easily check that 



(m-l)/2 

£ 

fc=0 



-2(r 



-k) s 2k 



c 2fc s 2(m-fc)l _ ^ 



Therefore, in both cases, for the best guess or to max- 
imise the probability of a conclusive outcome, the best 
strategy is to first find out in which block we have ob- 
tained, and then try to find out the parity given that 
we have obtained that block. Given that we have one of 
these blocks the task is easy because every block has the 
shape 



a 2 ±ab 
±ab b 2 



Let pk be the trace of the block of type fc, which cor- 
responds to the probability of each block of this type. 
We have that ab = {c m s m )/pk- Using this simple obser- 
vation, one obtains that the average probability of error 
over the blocks is 

(m-l)/2 , . 

PE(m)= £ r? )p k [l/2-(c m s m )/p k ] 
= (l/2)[l-(2c*r]. 

Therefore, we have obtaines PE(m) = (l/2)[l-sin TO (f2)]. 
Finally, we obtain PC(to) < sin m (fi). Note that 
PC(1) = 1 — cos(fi), and we have 1 — cos(fi) < sin(Q) by 
the triangle inequality. 
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